- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Migrating user from trusted hp-ux to untrusted...
Operating System - HP-UX
1753339
Members
5154
Online
108792
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Go to solution
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-02-2009 11:04 PM
тАО12-02-2009 11:04 PM
Referring to
http://forums11.itrc.hp.com/service/forums/questionanswer.do?admit=109447626+1259823029263+28353475&threadId=1212160
Solution suggested in the discussion is for migrating from trusted system to another trusted system.
However I am trying to do the same but to migrate to untrusted system.
My opinion is that the only different is /etc/passwd is * instead of the encrypted password.
In trusted system, encrypted password is in tcb file structure.
My question is:
1. Is it possible to use encrypted password in the tcb file structure but in /etc/passwd. Will this work in untrusted system?
2. Is there any script that do this. I.e migrate user from trusted hp-ux machine to untrusted hp-ux machine.
3. If there is no such script, any advice for me if I'm going to write it.
My objective is to migrate the user exactly as it is configured in the trusted server. Would like to do this without any impact to the trusted server. For instance, not looking forward to make the trusted server to untrusted and then copying /etc/passwd ... or such.
Thanks in advance!
http://forums11.itrc.hp.com/service/forums/questionanswer.do?admit=109447626+1259823029263+28353475&threadId=1212160
Solution suggested in the discussion is for migrating from trusted system to another trusted system.
However I am trying to do the same but to migrate to untrusted system.
My opinion is that the only different is /etc/passwd is * instead of the encrypted password.
In trusted system, encrypted password is in tcb file structure.
My question is:
1. Is it possible to use encrypted password in the tcb file structure but in /etc/passwd. Will this work in untrusted system?
2. Is there any script that do this. I.e migrate user from trusted hp-ux machine to untrusted hp-ux machine.
3. If there is no such script, any advice for me if I'm going to write it.
My objective is to migrate the user exactly as it is configured in the trusted server. Would like to do this without any impact to the trusted server. For instance, not looking forward to make the trusted server to untrusted and then copying /etc/passwd ... or such.
Thanks in advance!
Solved! Go to Solution.
7 REPLIES 7
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-03-2009 04:27 AM
тАО12-03-2009 04:27 AM
Re: Migrating user from trusted hp-ux to untrusted hp-ux
Hi,
You could perhaps migrate user from trusted to trusted and after that untrusted them with tsconvert -r
http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=839509
You could test to untrusted your trusted hpux, get a copy of the /etc/passwd and after that re-trusted it.
HTH.
You could perhaps migrate user from trusted to trusted and after that untrusted them with tsconvert -r
http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=839509
You could test to untrusted your trusted hpux, get a copy of the /etc/passwd and after that re-trusted it.
HTH.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-04-2009 03:57 AM
тАО12-04-2009 03:57 AM
Re: Migrating user from trusted hp-ux to untrusted hp-ux
Helo smatador,
I proceed with the step as in migrating user from trusted to trusted.
It works. Eventhough I am migrating user from trusted to untrusted system.
I guess it boils down to this:
1. If /etc/passwd have * in the password field. In untrusted system, the account should be blocked.
HOWEVER
2. After copying the tcb folder structure. Having * in /etc/passwd does not block the user if there the user exist in tcb file structure
Can anyone confirm this? I think this is what happen in my case. But not sure about it.
Thanks in advance!
I proceed with the step as in migrating user from trusted to trusted.
It works. Eventhough I am migrating user from trusted to untrusted system.
I guess it boils down to this:
1. If /etc/passwd have * in the password field. In untrusted system, the account should be blocked.
HOWEVER
2. After copying the tcb folder structure. Having * in /etc/passwd does not block the user if there the user exist in tcb file structure
Can anyone confirm this? I think this is what happen in my case. But not sure about it.
Thanks in advance!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-04-2009 07:47 AM
тАО12-04-2009 07:47 AM
Re: Migrating user from trusted hp-ux to untrusted hp-ux
For an untrusted system, the * is just one of any character strings less than 13 that will disable a user's login. The password string in the trusted system would be the same as long as the current password is 8 or less characters. If the password is longer than 8, thene there is no way to use the password from the /tcb directory. You can also see this in the /tcb database of user IDs. The encrypted string following u_pwd= must be exactly 13 characters followed by the : character. If it is 26 characters, then the password is more than 8 characters and you will have to give the user a new password on the untrusted system.
Bill Hassell, sysadmin
Bill Hassell, sysadmin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-06-2009 09:50 PM
тАО12-06-2009 09:50 PM
Re: Migrating user from trusted hp-ux to untrusted hp-ux
Hello Bill Hassel,
I think you are replying to my first post. The way I understand it is:
1. If upon checking encrypted password in the tcb structure, it is exactly 13 character. In this situation I can copy the encrypted password from tcb structures to /etc/passwd. And it will work!
2. If upon checking encrypted password in the tcb file structure, it is more than 13 characters (which is exactly 26 characters). This means that the encrypted password can not be copied into /etc/password as it will not work.
Thanks for you answer to my original post.
However, I have follow the step that involve copying tcb file structures. And it looks like doing so solve my problem.
Possibly because copying the tcb file structure to untrusted system cause the system to be automatically become trusted.
Appreciate it if someone can confirm this.
TIA
Haris
I think you are replying to my first post. The way I understand it is:
1. If upon checking encrypted password in the tcb structure, it is exactly 13 character. In this situation I can copy the encrypted password from tcb structures to /etc/passwd. And it will work!
2. If upon checking encrypted password in the tcb file structure, it is more than 13 characters (which is exactly 26 characters). This means that the encrypted password can not be copied into /etc/password as it will not work.
Thanks for you answer to my original post.
However, I have follow the step that involve copying tcb file structures. And it looks like doing so solve my problem.
Possibly because copying the tcb file structure to untrusted system cause the system to be automatically become trusted.
Appreciate it if someone can confirm this.
TIA
Haris
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-06-2009 10:23 PM
тАО12-06-2009 10:23 PM
Solution
The HP-UX system decides whether it's currently trusted or not by checking if the file /tcb/files/auth/system/default exists. If it exists, the system is trusted; if not, it isn't.
So if you copy the entire /tcb file hierarchy from a trusted system to an untrusted one, including /tcb/files/auth/system/default, that makes the second system trusted too.
----
If you get the encrypted password strings from the /tcb file structure and move them to /etc/passwd, it will sort of work _if and only if_ the user's passwords are 8 characters long or shorter.
The trusted system mode uses an expanded version of traditional Unix password hashing algorithm. If the password is 8 characters or less, the encryption result is compatible with the traditional algorithm; but if the password is longer than that, the algorithm will produce an incompatible extended password hash.
When the HP-UX system is in untrusted mode, the password hashing algorithm used in /etc/passwd is strictly the traditional one. If a trusted-mode encrypted password (with unencrypted length of 9 or more characters) is copied to /etc/passwd, logging in to that account becomes impossible until the password is changed.
In the non-trusted mode, the user can type more than 8 characters into the password prompt - but only the first 8 characters will be passed to the encryption process, producing a standard-length Unix password hash. This hash will then be compared with the stored password hash: if they match, the password is accepted. But if an extended password hash is copied to /etc/passwd, the encrypted strings will not be of equal length and the comparision will always fail.
MK
So if you copy the entire /tcb file hierarchy from a trusted system to an untrusted one, including /tcb/files/auth/system/default, that makes the second system trusted too.
----
If you get the encrypted password strings from the /tcb file structure and move them to /etc/passwd, it will sort of work _if and only if_ the user's passwords are 8 characters long or shorter.
The trusted system mode uses an expanded version of traditional Unix password hashing algorithm. If the password is 8 characters or less, the encryption result is compatible with the traditional algorithm; but if the password is longer than that, the algorithm will produce an incompatible extended password hash.
When the HP-UX system is in untrusted mode, the password hashing algorithm used in /etc/passwd is strictly the traditional one. If a trusted-mode encrypted password (with unencrypted length of 9 or more characters) is copied to /etc/passwd, logging in to that account becomes impossible until the password is changed.
In the non-trusted mode, the user can type more than 8 characters into the password prompt - but only the first 8 characters will be passed to the encryption process, producing a standard-length Unix password hash. This hash will then be compared with the stored password hash: if they match, the password is accepted. But if an extended password hash is copied to /etc/passwd, the encrypted strings will not be of equal length and the comparision will always fail.
MK
MK
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-07-2009 02:22 AM
тАО12-07-2009 02:22 AM
Re: Migrating user from trusted hp-ux to untrusted hp-ux
Thanks! Exactly the answer I am looking for.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-07-2009 02:25 AM
тАО12-07-2009 02:25 AM
Re: Migrating user from trusted hp-ux to untrusted hp-ux
All the answers are great. The one by Matti Kurkela give an insight and confirm my findings.
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
News and Events
Support
© Copyright 2024 Hewlett Packard Enterprise Development LP